diff options
Diffstat (limited to 'common/recipes-kernel/linux/linux-yocto-4.9.21/0048-proc-fix-coredump-vs-read-proc-stat-race.patch')
| -rw-r--r-- | common/recipes-kernel/linux/linux-yocto-4.9.21/0048-proc-fix-coredump-vs-read-proc-stat-race.patch | 105 |
1 files changed, 0 insertions, 105 deletions
diff --git a/common/recipes-kernel/linux/linux-yocto-4.9.21/0048-proc-fix-coredump-vs-read-proc-stat-race.patch b/common/recipes-kernel/linux/linux-yocto-4.9.21/0048-proc-fix-coredump-vs-read-proc-stat-race.patch deleted file mode 100644 index 30c8de50..00000000 --- a/common/recipes-kernel/linux/linux-yocto-4.9.21/0048-proc-fix-coredump-vs-read-proc-stat-race.patch +++ /dev/null @@ -1,105 +0,0 @@ -From 476f6e1404b0b16c48ae53249ffb362a16bf376c Mon Sep 17 00:00:00 2001 -From: Alexey Dobriyan <adobriyan@gmail.com> -Date: Thu, 18 Jan 2018 16:34:05 -0800 -Subject: [PATCH 48/93] proc: fix coredump vs read /proc/*/stat race - -commit 8bb2ee192e482c5d500df9f2b1b26a560bd3026f upstream. - -do_task_stat() accesses IP and SP of a task without bumping reference -count of a stack (which became an entity with independent lifetime at -some point). - -Steps to reproduce: - - #include <stdio.h> - #include <sys/types.h> - #include <sys/stat.h> - #include <fcntl.h> - #include <sys/time.h> - #include <sys/resource.h> - #include <unistd.h> - #include <sys/wait.h> - - int main(void) - { - setrlimit(RLIMIT_CORE, &(struct rlimit){}); - - while (1) { - char buf[64]; - char buf2[4096]; - pid_t pid; - int fd; - - pid = fork(); - if (pid == 0) { - *(volatile int *)0 = 0; - } - - snprintf(buf, sizeof(buf), "/proc/%u/stat", pid); - fd = open(buf, O_RDONLY); - read(fd, buf2, sizeof(buf2)); - close(fd); - - waitpid(pid, NULL, 0); - } - return 0; - } - - BUG: unable to handle kernel paging request at 0000000000003fd8 - IP: do_task_stat+0x8b4/0xaf0 - PGD 800000003d73e067 P4D 800000003d73e067 PUD 3d558067 PMD 0 - Oops: 0000 [#1] PREEMPT SMP PTI - CPU: 0 PID: 1417 Comm: a.out Not tainted 4.15.0-rc8-dirty #2 - Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.10.2-1.fc27 04/01/2014 - RIP: 0010:do_task_stat+0x8b4/0xaf0 - Call Trace: - proc_single_show+0x43/0x70 - seq_read+0xe6/0x3b0 - __vfs_read+0x1e/0x120 - vfs_read+0x84/0x110 - SyS_read+0x3d/0xa0 - entry_SYSCALL_64_fastpath+0x13/0x6c - RIP: 0033:0x7f4d7928cba0 - RSP: 002b:00007ffddb245158 EFLAGS: 00000246 - Code: 03 b7 a0 01 00 00 4c 8b 4c 24 70 4c 8b 44 24 78 4c 89 74 24 18 e9 91 f9 ff ff f6 45 4d 02 0f 84 fd f7 ff ff 48 8b 45 40 48 89 ef <48> 8b 80 d8 3f 00 00 48 89 44 24 20 e8 9b 97 eb ff 48 89 44 24 - RIP: do_task_stat+0x8b4/0xaf0 RSP: ffffc90000607cc8 - CR2: 0000000000003fd8 - -John Ogness said: for my tests I added an else case to verify that the -race is hit and correctly mitigated. - -Link: http://lkml.kernel.org/r/20180116175054.GA11513@avx2 -Signed-off-by: Alexey Dobriyan <adobriyan@gmail.com> -Reported-by: "Kohli, Gaurav" <gkohli@codeaurora.org> -Tested-by: John Ogness <john.ogness@linutronix.de> -Cc: Peter Zijlstra <a.p.zijlstra@chello.nl> -Cc: Ingo Molnar <mingo@elte.hu> -Cc: Oleg Nesterov <oleg@redhat.com> -Signed-off-by: Andrew Morton <akpm@linux-foundation.org> -Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org> -Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> ---- - fs/proc/array.c | 7 +++++-- - 1 file changed, 5 insertions(+), 2 deletions(-) - -diff --git a/fs/proc/array.c b/fs/proc/array.c -index c932ec4..794b52a 100644 ---- a/fs/proc/array.c -+++ b/fs/proc/array.c -@@ -423,8 +423,11 @@ static int do_task_stat(struct seq_file *m, struct pid_namespace *ns, - * safe because the task has stopped executing permanently. - */ - if (permitted && (task->flags & PF_DUMPCORE)) { -- eip = KSTK_EIP(task); -- esp = KSTK_ESP(task); -+ if (try_get_task_stack(task)) { -+ eip = KSTK_EIP(task); -+ esp = KSTK_ESP(task); -+ put_task_stack(task); -+ } - } - } - --- -2.7.4 - |